Commit graph

1422 commits

Author SHA1 Message Date
Cory Snider
0ffaa6c785 daemon: add annotations to container HostConfig
Allow clients to set annotations on a container which will applied to
the container's OCI spec.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-23 18:59:00 -05:00
Cory Snider
0c68b655f6 Fix loop-closure bugs in tests
...which were flagged by golangci-lint v1.51.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-15 12:44:52 -05:00
Tonis Tiigi
666334bd48
vendor: update buildkit to v0.11.2
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-02-01 23:29:10 -08:00
Cory Snider
d634ae9b60 Wait longer for exit events on Windows
The latest version of containerd-shim-runhcs-v1 (v0.10.0-rc.4) pulled in
with the bump to ContainerD v1.7.0-rc.3 had several changes to make it
more robust, which had the side effect of increasing the worst-case
amount of time it takes for a container to exit in the worst case.
Notably, the total timeout for shutting down a task increased from 30
seconds to 60! Increase the timeouts hardcoded in the daemon and
integration tests so that they don't give up too soon.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-31 15:19:08 -05:00
Akihiro Suda
b3c5352386
rootless: support --ipc=host
Fix issue 44294

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-01-21 01:00:27 +09:00
Sebastiaan van Stijn
01fd23b625
Fix volume CreatedAt being altered on initialization
The CreatedAt date was determined from the volume's `_data`
directory (`/var/lib/docker/volumes/<volumename>/_data`).
However, when initializing a volume, this directory is updated,
causing the date to change.

Instead of using the `_data` directory, use its parent directory,
which is not updated afterwards, and should reflect the time that
the volume was created.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-01-03 16:57:04 +01:00
Sebastiaan van Stijn
ebda2fa2b5
integration/internal: use strings.Cut() and minor refactor
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-21 11:09:01 +01:00
Cory Snider
0426c76142 List images with multiple since/before filters
The List Images API endpoint has accepted multiple values for the
`since` and `before` filter predicates, but thanks to Go's randomizing
of map iteration order, it would pick an arbitrary image to compare
created timestamps against. In other words, the behaviour was undefined.
Change these filter predicates to have well-defined semantics: the
logical AND of all values for each of the respective predicates. As
timestamps are a totally-ordered relation, this is exactly equivalent to
applying the newest and oldest creation timestamps for the `since` and
`before` predicates, respectively.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-12-08 16:36:57 -05:00
Sebastiaan van Stijn
1981706196
daemon: remove migrateTrustKeyID()
The migration code is in the 22.06 branch, and if we don't migrate
the only side-effect is the daemon's ID being regenerated (as a
UUID).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-28 20:28:55 +01:00
Brian Goff
6eab4f55fa
Merge pull request #44210 from corhere/chrootarchive-without-reexec
Fix 'docker cp' mount table explosion, take four
2022-11-11 10:47:09 -08:00
Sebastiaan van Stijn
18f8ab6fbd
Merge pull request #44274 from thaJeztah/integration_cli_no_pkg_system
integration(-cli): remove uses of pkg/system.Stat()
2022-11-11 08:39:09 +01:00
Cory Snider
7d23c50599 integration: test more copy edge-cases
The existing archive implementation is not easy to reason about by
reading the source. Prepare to rewrite it by covering more edge cases in
tests. The new test cases were determined by black-box characterizing
the existing behaviour.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-26 12:06:31 -04:00
Cory Snider
1f32e3c95d Add integration test for #38995, #43390
Modify the DinD entrypoint scripts to make the issue reproducible inside
a DinD container.

Co-authored-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-26 12:04:37 -04:00
Sebastiaan van Stijn
542c735926
Merge pull request #44256 from thaJeztah/redundant_sprintfs
replace redundant fmt.Sprintf() with strconv
2022-10-25 16:48:15 -04:00
Sebastiaan van Stijn
4f43cb660a
skip TestImagePullStoredfDigestForOtherRepo() on Windows and rootless
- On Windows, we don't build and run a local  test registry (we're not running
  docker-in-docker), so we need to skip this test.
- On rootless, networking doesn't support this (currently)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 01:48:59 +02:00
Brian Goff
27530efedb
Validate digest in repo for pull by digest
This is accomplished by storing the distribution source in the content
labels. If the distribution source is not found then we check to the
registry to see if the digest exists in the repo, if it does exist then
the puller will use it.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 01:48:59 +02:00
Sebastiaan van Stijn
b43a7ac530
integration/plugin: remove deprecated overlay2.override_kernel_check
It's no longer used since e226aea280

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-10 14:46:08 +02:00
Sebastiaan van Stijn
6fd2d4e772
integration: remove uses of pkg/system.Stat()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-09 17:55:42 +02:00
Sebastiaan van Stijn
838fc976c8
integration(-cli): remove some redundant formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-08 17:41:39 +02:00
Sebastiaan van Stijn
49940ab5ee
Merge pull request #44216 from cpuguy83/volume_unnamed_label
Volume prune: only prune anonymous volumes by default
2022-10-05 19:34:47 +02:00
Brian Goff
618f26ccbc Volume prune: only prune anonymous volumes by default
This adds a new filter argument to the volume prune endpoint "all".
When this is not set, or it is a false-y value, then only anonymous
volumes are considered for pruning.

When `all` is set to a truth-y value, you get the old behavior.

This is an API change, but I think one that is what most people would
want.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-04 20:55:13 +00:00
Brian Goff
4c0e0979b4 Fix live-restore w/ restart policies + volume refs
Before this change restarting the daemon in live-restore with running
containers + a restart policy meant that volume refs were not restored.
This specifically happens when the container is still running *and*
there is a restart policy that would make sure the container was running
again on restart.

The bug allows volumes to be removed even though containers are
referencing them. 😱

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2022-09-30 22:30:58 +00:00
Sebastiaan van Stijn
786e6d80ba
integration: fix empty-lines (revive)
integration/config/config_test.go:106:31: empty-lines: extra empty line at the end of a block (revive)
    integration/secret/secret_test.go:106:31: empty-lines: extra empty line at the end of a block (revive)
    integration/network/service_test.go:58:50: empty-lines: extra empty line at the end of a block (revive)
    integration/network/service_test.go:401:58: empty-lines: extra empty line at the end of a block (revive)
    integration/system/event_test.go:30:38: empty-lines: extra empty line at the end of a block (revive)
    integration/plugin/logging/read_test.go:19:41: empty-lines: extra empty line at the end of a block (revive)
    integration/service/list_test.go:30:48: empty-lines: extra empty line at the end of a block (revive)
    integration/service/create_test.go:400:46: empty-lines: extra empty line at the start of a block (revive)
    integration/container/logs_test.go:156:42: empty-lines: extra empty line at the end of a block (revive)
    integration/container/daemon_linux_test.go:135:44: empty-lines: extra empty line at the end of a block (revive)
    integration/container/restart_test.go:160:62: empty-lines: extra empty line at the end of a block (revive)
    integration/container/wait_test.go:181:47: empty-lines: extra empty line at the end of a block (revive)
    integration/container/restart_test.go:116:30: empty-lines: extra empty line at the end of a block (revive)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-28 01:58:50 +02:00
Cory Snider
a5be811269 chore(integration): delete outdated TODO comment
The TODO comment was in regards to allowing graphdriver plugins to
provide their own ContainerFS implementations. The ContainerFS interface
has been removed from Moby, so there is no longer anything which needs
to be figured out.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-09-23 16:56:53 -04:00
Cory Snider
e332c41e9d pkg/containerfs: alias ContainerFS to string
Drop the constructor and redundant string() type-casts.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-09-23 16:56:52 -04:00
Cory Snider
95824f2b5f pkg/containerfs: simplify ContainerFS type
Iterate towards dropping the type entirely.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-09-23 16:56:49 -04:00
Sebastiaan van Stijn
dba081975a
Merge pull request #44034 from crazy-max/gha-test
ci: gha test workflow for integration and unit test
2022-09-08 15:56:42 +02:00
CrazyMax
df731c745a
integration: TestNetworkLoopbackNat is broken on GitHub Runner
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-07 22:52:34 +02:00
Sebastiaan van Stijn
31fb92c609
linting: gosec: fix or suppress G112, G114 in test code
Updating test-code only; set ReadHeaderTimeout for some, or suppress the linter
error for others.

     contrib/httpserver/server.go:11:12: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        log.Panic(http.ListenAndServe(":80", nil))
                  ^
     integration/plugin/logging/cmd/close_on_start/main.go:42:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/discard/main.go:17:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     integration/plugin/volumes/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     testutil/fixtures/plugin/basic/basic.go:25:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     volume/testutils/testutils.go:170:5: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        go http.Serve(l, mux)
           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-04 15:36:51 +02:00
Sebastiaan van Stijn
0670621291
Merge pull request #43997 from thaJeztah/healthcheck_capture_logs
daemon: capture output of killed health checks
2022-09-02 10:48:22 +02:00
Cory Snider
d0731af939 Unskip TestHealthCheckProcessKilled on Windows
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-25 19:51:41 -04:00
Cory Snider
15b8e4a490 integration: synchronize TestWaitConditions
Modifying the builtin Windows runtime to send the exited event
immediately upon the container's init process exiting, without first
waiting for the Compute System to shut down, perturbed the timings
enough to make TestWaitConditions flaky on that platform. Make
TestWaitConditions timing-independent by having the container wait
for input on STDIN before exiting.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-24 14:59:08 -04:00
Cory Snider
0cbb92bcc5
daemon: capture output of killed health checks
Add an integration test to verify that health checks are killed on
timeout and that the output is captured.

Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-24 13:59:34 +02:00
Cory Snider
4b84a33217
daemon: kill exec process on ctx cancel
Terminating the exec process when the context is canceled has been
broken since Docker v17.11 so nobody has been able to depend upon that
behaviour in five years of releases. We are thus free from backwards-
compatibility constraints.

Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-23 15:35:30 +02:00
Sebastiaan van Stijn
d082bbcc05
Merge pull request #43978 from cpuguy83/default_runtime_shim
Allow containerd shim refs in default-runtime
2022-08-18 22:59:57 +02:00
Brian Goff
e6ee27a541 Allow containerd shim refs in default-runtime
Since runtimes can now just be containerd shims, we need to check if the
reference is possibly a containerd shim.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2022-08-18 18:41:03 +00:00
Sebastiaan van Stijn
a4ac991d02
Merge pull request #43657 from thaJeztah/default_builder_version
api: set default "Builder-Version" to "2" (BuildKit) on Linux
2022-08-18 20:14:47 +02:00
Sebastiaan van Stijn
340711db3d
api: add types/volume.ListOptions for a more consistent API
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-03 23:30:28 +02:00
Sebastiaan van Stijn
2b7416ef34
testutil, integration: use types/registry.AuthConfig
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-29 23:05:21 +02:00
Brian Goff
6e21389917
Merge pull request #43800 from corhere/implicit-runtime-config
daemon: support alternative runtimes MVP
2022-07-29 09:35:22 -07:00
Cory Snider
547da0d575 daemon: support other containerd runtimes (MVP)
Contrary to popular belief, the OCI Runtime specification does not
specify the command-line API for runtimes. Looking at containerd's
architecture from the lens of the OCI Runtime spec, the _shim_ is the
OCI Runtime and runC is "just" an implementation detail of the
io.containerd.runc.v2 runtime. When one configures a non-default runtime
in Docker, what they're really doing is instructing Docker to create
containers using the io.containerd.runc.v2 runtime with a configuration
option telling the runtime that the runC binary is at some non-default
path. Consequently, only OCI runtimes which are compatible with the
io.containerd.runc.v2 shim, such as crun, can be used in this manner.
Other OCI runtimes, including kata-containers v2, come with their own
containerd shim and are not compatible with io.containerd.runc.v2.
As Docker has not historically provided a way to select a non-default
runtime which requires its own shim, runtimes such as kata-containers v2
could not be used with Docker.

Allow other containerd shims to be used with Docker; no daemon
configuration required. If the daemon is instructed to create a
container with a runtime name which does not match any of the configured
or stock runtimes, it passes the name along to containerd verbatim. A
user can start a container with the kata-containers runtime, for
example, simply by calling

    docker run --runtime io.containerd.kata.v2

Runtime names which containerd would interpret as a path to an arbitrary
binary are disallowed. While handy for development and testing it is not
strictly necessary and would allow anyone with Engine API access to
trivially execute any binary on the host as root, so we have decided it
would be safest for our users if it was not allowed.

It is not yet possible to set an alternative containerd shim as the
default runtime; it can only be configured per-container.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-27 14:22:49 -04:00
Paweł Gronowski
5571d5139b integration: TestWaitRestartedContainer
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-07-20 09:23:31 +02:00
Paweł Gronowski
c492105b8f integration: Add TestContainerWithAutoRemoveCanBeRestarted
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-07-20 09:23:28 +02:00
Sebastiaan van Stijn
52c1a2fae8
gofmt GoDoc comments with go1.19
Older versions of Go don't format comments, so committing this as
a separate commit, so that we can already make these changes before
we upgrade to Go 1.19.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-08 19:56:23 +02:00
Sebastiaan van Stijn
1cab8eda24
replace golint with revive, as it's deprecated
WARN [runner] The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner.  Replaced by revive.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-04 10:15:54 +02:00
Sebastiaan van Stijn
0bce64f08d
api: POST /containers/{id}/wait: fix validation for "condition" parameter
commit 737e8c6ab8 added validation for the wait
condition parameter, however, the default ("not-running") option was not part
of the list of valid options, resulting in a regression if the default value
was explicitly passed;

    docker scan --accept-license --version
    Error response from daemon: invalid condition: "not-running"

This patch adds the missing option, and adds a test to verify.

With this patch;

    make BIND_DIR=. DOCKER_GRAPHDRIVER=vfs TEST_FILTER=TestWaitConditions test-integration
    ...
    --- PASS: TestWaitConditions (0.04s)
    --- PASS: TestWaitConditions/removed (1.79s)
    --- PASS: TestWaitConditions/default (1.91s)
    --- PASS: TestWaitConditions/next-exit (1.97s)
    --- PASS: TestWaitConditions/not-running (1.99s)
    PASS

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-27 14:45:32 +02:00
Paweł Gronowski
56a20dbc19 container/exec: Support ConsoleSize
Now client have the possibility to set the console size of the executed
process immediately at the creation. This makes a difference for example
when executing commands that output some kind of text user interface
which is bounded by the console dimensions.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-06-24 11:54:25 +02:00
Paweł Gronowski
2ec3e14c0f test: Add tests for logging
1. Add integration tests for the ContainerLogs API call
Each test handle a distinct case of ContainerLogs output.
- Muxed stream, when container is started without tty
- Single stream, when container is started with tty

2. Add unit test for LogReader suite that tests concurrent logging
It checks that there are no race conditions when logging concurrently
from multiple goroutines.

Co-authored-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-06-10 09:26:17 +02:00
Sebastiaan van Stijn
4e09933aed
Merge pull request #43652 from thaJeztah/update_gotest_tools
vendor: gotest.tools v3.2.0
2022-05-30 13:00:29 +02:00
Sebastiaan van Stijn
7b153b9e28
api: set default "Builder-Version" to "2" (BuildKit) on Linux
Starting with the 22.06 release, buildx is the default client for
docker build, which uses BuildKit as builder.

This patch changes the default builder version as advertised by
the daemon to "2" (BuildKit), so that pre-22.06 CLIs with BuildKit
support (but no buildx installed) also default to using BuildKit
when interacting with a 22.06 (or up) daemon.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-29 16:41:07 +02:00
Sebastiaan van Stijn
a3b1b66bb3
integration: TestPingSwarmHeader(): fix incorrect ping, and cleanup
I noticed I made a mistake in the first ping ("before swarm init"), which
was not specifying the daemon's socket path and because of that testing
against the main integration daemon (not the locally spun up daemon).

While fixing that, I wondered why the test didn't actually use the client
for the requests (to also verify the client converted the response), so
I rewrote the test to use `client.Ping()` and to verify the ping response
has the expected values set.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-29 15:17:37 +02:00
Sebastiaan van Stijn
a5f6500958
replace deprecated gotest.tools' env.Patch() with t.SetEnv()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-28 12:12:39 +02:00
Sebastiaan van Stijn
c3d7a0c603
Fix validation of IpcMode, PidMode, UTSMode, CgroupnsMode
These HostConfig properties were not validated until the OCI spec for the container
was created, which meant that `container run` and `docker create` would accept
invalid values, and the invalid value would not be detected until `start` was
called, returning a 500 "internal server error", as well as errors from containerd
("cleanup: failed to delete container from containerd: no such container") in the
daemon logs.

As a result, a faulty container was created, and the container state remained
in the `created` state.

This patch:

- Updates `oci.WithNamespaces()` to return the correct `errdefs.InvalidParameter`
- Updates `verifyPlatformContainerSettings()` to validate these settings, so that
  an error is returned when _creating_ the container.

Before this patch:

    docker run -dit --ipc=shared --name foo busybox
    2a00d74e9fbb7960c4718def8f6c74fa8ee754030eeb93ee26a516e27d4d029f
    docker: Error response from daemon: Invalid IPC mode: shared.

    docker ps -a --filter name=foo
    CONTAINER ID   IMAGE     COMMAND   CREATED              STATUS    PORTS     NAMES
    2a00d74e9fbb   busybox   "sh"      About a minute ago   Created             foo

After this patch:

    docker run -dit --ipc=shared --name foo busybox
    docker: Error response from daemon: invalid IPC mode: shared.

     docker ps -a --filter name=foo
    CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

An integration test was added to verify the new validation, which can be run with:

    make BIND_DIR=. TEST_FILTER=TestCreateInvalidHostConfig DOCKER_GRAPHDRIVER=vfs test-integration

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-25 17:41:51 +02:00
Paweł Gronowski
85a7f5a09a daemon/linux: Set console size on creation
On Linux the daemon was not respecting the HostConfig.ConsoleSize
property and relied on cli initializing the tty size after the container
was created. This caused a delay between container creation and
the tty actually being resized.

This is also a small change to the api description, because
HostConfig.ConsoleSize is no longer Windows-only.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-05-19 07:57:27 +02:00
Nicolas De Loof
af5d83a641
Make it explicit raw|multiplexed stream implementation being used
fix #35761

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2022-05-12 11:36:31 +02:00
Sebastiaan van Stijn
bb1208639b
daemon: separate daemon ID from trust-key
This change is in preparation of deprecating support for old manifests.
Currently the daemon's ID is based on the trust-key ID, which will be
removed once we fully deprecate support for old manifests (the trust
key is currently only used in tests).

This patch:

- looks if a trust-key is present; if so, it migrates the trust-key
  ID to the new "engine-id" file within the daemon's root.
- if no trust-key is present (so in case it's a "fresh" install), we
  generate a UUID instead and use that as ID.

The migration is to prevent engines from getting a new ID on upgrades;
while we don't provide any guarantees on the engine's ID, users may
expect the ID to be "stable" (not change) between upgrades.

A test has been added, which can be ran with;

    make DOCKER_GRAPHDRIVER=vfs TEST_FILTER='TestConfigDaemonID' test-integration

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-04 20:17:18 +02:00
Sebastiaan van Stijn
41b96bff55
update uses of container.ContainerCreateCreatedBody to CreateResponse
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-28 22:39:20 +02:00
Sebastiaan van Stijn
64e96932bd
api: rename volume.VolumeCreateBody to volume.CreateOptions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-28 22:39:14 +02:00
Sebastiaan van Stijn
3cae9fef16
imports: remove "volumetypes" aliases for api/types/volume
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-28 22:39:04 +02:00
Sebastiaan van Stijn
176f66df9c
api/types: replace uses of deprecated types.Volume with volume.Volume
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-21 19:50:59 +02:00
Sebastiaan van Stijn
e8fa708ae5
client: ContainerStop(), ContainerRestart(): support stop-signal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 21:29:34 +02:00
Sebastiaan van Stijn
013d648888
client: CopyToContainer(), CopyFromContainer(): remove status-code handling
This was added in 93c3e6c91e, at which time only
some basic handling of non-succesful status codes was present;
93c3e6c91e/api/client/utils.go (L112-L121)

Given that since 38e6d474af non-successful status-
codes are already handled, and a 204 ("no content") status should not be an error,
this special case should no longer be needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-19 08:28:20 +02:00
Sebastiaan van Stijn
b6d58d749c
runconfig: ContainerDecoder(): fix handling of invalid JSON
Implement similar logic as is used in httputils.ReadJSON(). Before
this patch, endpoints using the ContainerDecoder would incorrectly
return a 500 (internal server error) status.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 21:44:45 +02:00
Sebastiaan van Stijn
0c9ff0b45a
api/server/httputils: add ReadJSON() utility
Implement a ReadJSON() utility to help reduce some code-duplication,
and to make sure we handle JSON requests consistently (e.g. always
check for the content-type).

Differences compared to current handling:

- prevent possible panic if request.Body is nil ("should never happen")
- always require Content-Type to be "application/json"
- be stricter about additional content after JSON (previously ignored)
- but, allow the body to be empty (an empty body is not invalid);
  update TestContainerInvalidJSON accordingly, which was testing the
  wrong expectation.
- close body after reading (some code did this)

We should consider to add a "max body size" on this function, similar to
7b9275c0da/api/server/middleware/debug.go (L27-L40)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 21:37:51 +02:00
Sebastiaan van Stijn
101dafd049
daemon/config: move proxy settings to "proxies" struct within daemon.json
This is a follow-up to 427c7cc5f8, which added
proxy-configuration options ("http-proxy", "https-proxy", "no-proxy") to the
dockerd cli and in `daemon.json`.

While working on documentation changes for this feature, I realised that those
options won't be "next" to each-other when formatting the daemon.json JSON, for
example using `jq` (which sorts the fields alphabetically). As it's possible that
additional proxy configuration options are added in future, I considered that
grouping these options in a struct within the JSON may help setting these options,
as well as discovering related options.

This patch introduces a "proxies" field in the JSON, which includes the
"http-proxy", "https-proxy", "no-proxy" options.

Conflict detection continues to work as before; with this patch applied:

    mkdir -p /etc/docker/
    echo '{"proxies":{"http-proxy":"http-config", "https-proxy":"https-config", "no-proxy": "no-proxy-config"}}' > /etc/docker/daemon.json

    dockerd --http-proxy=http-flag --https-proxy=https-flag --no-proxy=no-proxy-flag --validate

    unable to configure the Docker daemon with file /etc/docker/daemon.json:
    the following directives are specified both as a flag and in the configuration file:
    http-proxy: (from flag: http-flag, from file: http-config),
    https-proxy: (from flag: https-flag, from file: https-config),
    no-proxy: (from flag: no-proxy-flag, from file: no-proxy-config)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 19:43:02 +02:00
Paul "TBBle" Hampson
31e1fec950 Suport vpci-class-guid in the non-containerd backend
IDType `vpci-class-guid` is a synonym of `class`.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-27 13:26:47 +11:00
Paul "TBBle" Hampson
cb07afa3cc Implement :// separator for arbitrary Windows Device IDTypes
Arbitrary here does not include '', best to catch that one early as it's
almost certainly a mistake (possibly an attempt to pass a POSIX path
through this API)

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-27 13:26:47 +11:00
Paul "TBBle" Hampson
92f13bad88 Allow Windows Devices to be activated for HyperV Isolation
If not using the containerd backend, this will still fail, but later.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-27 13:26:41 +11:00
Paul "TBBle" Hampson
c60f70f112 Break out setupWindowsDevices and add tests
Since this function is about to get more complicated, and change
behaviour, this establishes tests for the existing implementation.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2022-03-27 13:23:48 +11:00
Sebastiaan van Stijn
adf4bf772d
API: add "Swarm" header to _ping endpoint
This adds an additional "Swarm" header to the _ping endpoint response,
which allows a client to detect if Swarm is enabled on the daemon, without
having to call additional endpoints.

This change is not versioned in the API, and will be returned irregardless
of the API version that is used. Clients should fall back to using other
endpoints to get this information if the header is not present.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-25 23:54:14 +01:00
Sebastiaan van Stijn
0a3336fd7d
Merge pull request #43366 from corhere/finish-identitymapping-refactor
Finish refactor of UID/GID usage to a new struct
2022-03-25 14:51:05 +01:00
Sebastiaan van Stijn
d967ffbee0
Merge pull request #42638 from eliaskoromilas/host-devices
Mount (accessible) host devices in `--privileged` rootless containers
2022-03-24 11:19:57 +01:00
Elias Koromilas
8c7ea316d1 Mount (accessible) host devices in --privileged rootless containers
Signed-off-by: Elias Koromilas <elias.koromilas@gmail.com>
2022-03-23 22:30:22 +02:00
Sebastiaan van Stijn
45067cda33
client: remove wrapResponseError()
The wrapResponseError() utility converted some specific errors, but in
doing so, could hide the actual error message returned by the daemon.
In addition, starting with 38e6d474af,
HTTP status codes were already mapped to their corresponding errdefs
types on the client-side, making this conversion redundant.

This patch removes the wrapResponseError() utility; it's worth noting
that some error-messages will change slightly (as they now return the
error as returned by the daemon), but may cointain more details as
before, and in some cases prevents hiding the actual error.

Before this change:

    docker container rm nosuchcontainer
    Error: No such container: nosuchcontainer

    docker container cp mycontainer:/no/such/path .
    Error: No such container:path: mycontainer:/no/such/path

    docker container cp ./Dockerfile mycontainer:/no/such/path
    Error: No such container:path: mycontainer:/no/such

    docker image rm nosuchimage
    Error: No such image: nosuchimage

    docker network rm nosuchnetwork
    Error: No such network: nosuchnetwork

    docker volume rm nosuchvolume
    Error: No such volume: nosuchvolume

    docker plugin rm nosuchplugin
    Error: No such plugin: nosuchplugin

    docker checkpoint rm nosuchcontainer nosuchcheckpoint
    Error response from daemon: No such container: nosuchcontainer

    docker checkpoint rm mycontainer nosuchcheckpoint
    Error response from daemon: checkpoint nosuchcheckpoint does not exist for container mycontainer

    docker service rm nosuchservice
    Error: No such service: nosuchservice

    docker node rm nosuchnode
    Error: No such node: nosuchnode

    docker config rm nosuschconfig
    Error: No such config: nosuschconfig

    docker secret rm nosuchsecret
    Error: No such secret: nosuchsecret

After this change:

    docker container rm nosuchcontainer
    Error response from daemon: No such container: nosuchcontainer

    docker container cp mycontainer:/no/such/path .
    Error response from daemon: Could not find the file /no/such/path in container mycontainer

    docker container cp ./Dockerfile mycontainer:/no/such/path
    Error response from daemon: Could not find the file /no/such in container mycontainer

    docker image rm nosuchimage
    Error response from daemon: No such image: nosuchimage:latest

    docker network rm nosuchnetwork
    Error response from daemon: network nosuchnetwork not found

    docker volume rm nosuchvolume
    Error response from daemon: get nosuchvolume: no such volume

    docker plugin rm nosuchplugin
    Error response from daemon: plugin "nosuchplugin" not found

    docker checkpoint rm nosuchcontainer nosuchcheckpoint
    Error response from daemon: No such container: nosuchcontainer

    docker checkpoint rm mycontainer nosuchcheckpoint
    Error response from daemon: checkpoint nosuchcheckpoint does not exist for container mycontainer

    docker service rm nosuchservice
    Error response from daemon: service nosuchservice not found

    docker node rm nosuchnode
    Error response from daemon: node nosuchnode not found

    docker config rm nosuchconfig
    Error response from daemon: config nosuchconfig not found

    docker secret rm nosuchsecret
    Error response from daemon: secret nosuchsecret not found

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-20 19:04:52 +01:00
Cory Snider
098a44c07f Finish refactor of UID/GID usage to a new struct
Finish the refactor which was partially completed with commit
34536c498d, passing around IdentityMapping structs instead of pairs of
[]IDMap slices.

Existing code which uses []IDMap relies on zero-valued fields to be
valid, empty mappings. So in order to successfully finish the
refactoring without introducing bugs, their replacement therefore also
needs to have a useful zero value which represents an empty mapping.
Change IdentityMapping to be a pass-by-value type so that there are no
nil pointers to worry about.

The functionality provided by the deprecated NewIDMappingsFromMaps
function is required by unit tests to to construct arbitrary
IdentityMapping values. And the daemon will always need to access the
mappings to pass them to the Linux kernel. Accommodate these use cases
by exporting the struct fields instead. BuildKit currently depends on
the UIDs and GIDs methods so we cannot get rid of them yet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-03-14 16:28:57 -04:00
Sebastiaan van Stijn
7d70d95d8e
registry: add DefaultRegistryHost const, and improve documentation
This is more in line with other consts that are used for defaults, and makes it
slightly easier to consume than DefaultV2Registry, e.g. see:
https://github.com/oras-project/oras-go/blob/v1.1.0/pkg/auth/docker/resolver.go#L81-L84

Note that both the "index.docker.io" and "registry-1.docker.io" domains
are here for historic reasons and backward-compatibility. These domains
are still supported by Docker Hub (and will continue to be supported), but
there are new domains already in use, and plans to consolidate all legacy
domains to new "canonical" domains. Once those domains are decided on, we
should update these consts (but making sure to preserve compatibility with
existing installs, clients, and user configuration).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-27 13:48:27 +01:00
Sebastiaan van Stijn
b36d896fce
layer: remove OS from layerstore
This was added in commits fc21bf280b and
0380fbff37 in support of LCOW, but was
now always set to runtime.GOOS.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-25 15:23:23 +01:00
Sebastiaan van Stijn
01ae9525dd
Add support for platform (os and architecture) on image import
Commit 0380fbff37 added the ability to pass a
--platform flag on `docker import` when importing an archive. The intent
of that commit was to allow importing a Linux rootfs on a Windows daemon
(as part of the experimental LCOW feature).

A later commit (337ba71fc1) changed some
of this code to take both OS and Architecture into account (for `docker build`
and `docker pull`), but did not yet update the `docker image import`.

This patch updates the import endpoitn to allow passing both OS and
Architecture. Note that currently only matching OSes are accepted,
and an error will be produced when (e.g.) specifying `linux` on Windows
and vice-versa.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-24 18:24:51 +01:00
Sebastiaan van Stijn
65b92a730a
integration(-cli): remove discovery related tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:28:13 +01:00
Sebastiaan van Stijn
ce25968008
vendor: github.com/moby/sys/mount v0.3.0, mountinfo v0.5.0, signal v0.6.0, symlink v0.2.0
full diff: https://github.com/moby/sys/compare/signal/v0.5.0...signal/v0.6.0

Modules:

- github.com/moby/sys/mount v0.3.0
- github.com/moby/sys/mountinfo v0.5.0
- github.com/moby/sys/signal v0.6.0
- github.com/moby/sys/symlink v0.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-19 09:56:37 +01:00
Sebastiaan van Stijn
cef0a7c14e
vendor: github.com/opencontainers/image-spec v1.0.2
- Bring mediaType out of reserved status
- specs-go: adding mediaType to the index and manifest structures

full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-18 00:00:05 +01:00
Brian Goff
402d106142
Merge pull request #43009 from thaJeztah/skip_TestBuildWCOWSandboxSize
testing: skip TestBuildWCOWSandboxSize for now
2021-11-10 11:59:09 -08:00
Sebastiaan van Stijn
2a6a4587fa
testing: skip TestBuildWCOWSandboxSize for now
This test is failing frequently once nodes have less disk space
available. Skipping the test for now, but we can continue looking
for a good solution.

Tracked through https://github.com/moby/moby/issues/42743

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-10 15:38:22 +01:00
Sebastiaan van Stijn
eea2758761
TestBuildUserNamespaceValidateCapabilitiesAreV2: cleanup daemon storage
This should help with Jenkins failing to clean up the Workspace:

- make sure "cleanup" is also called in the defer for all daemons. keeping
  the daemon's storage around prevented Jenkins from cleaning up.
- close client connections and some readers (just to be sure)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-10 12:25:16 +01:00
Sebastiaan van Stijn
040b1d5eeb
integration/daemon: use "windows" to skip tests
For consistency, and to allow easier grepping for all tests
that we skip on windows.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 12:39:04 +02:00
Sebastiaan van Stijn
76016b846d
daemon: make sure proxy settings are sanitized when printing
The daemon can print the proxy configuration as part of error-messages,
and when reloading the daemon configuration (SIGHUP). Make sure that
the configuration is sanitized before printing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 12:39:02 +02:00
Sebastiaan van Stijn
bad4b30e65
integration: skip TestDaemonProxy on rootless CI
The proxy configuration works, but looks like we're unable to connect to the
test proxy server as part of our test;

    level=debug msg="Trying to pull example.org:5000/some/image from https://example.org:5000 v2"
    level=warning msg="Error getting v2 registry: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
    level=info msg="Attempting next endpoint for pull after error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"
    level=error msg="Handler for POST /v1.42/images/create returned error: Get \"https://example.org:5000/v2/\": proxyconnect tcp: dial tcp 127.0.0.1:45999: connect: connection refused"

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 12:39:00 +02:00
Anca Iordache
427c7cc5f8
Add http(s) proxy properties to daemon configuration
This allows configuring the daemon's proxy server through the daemon.json con-
figuration file or command-line flags configuration file, in addition to the
existing option (through environment variables).

Configuring environment variables on Windows to configure a service is more
complicated than on Linux, and adding alternatives for this to the daemon con-
figuration makes the configuration more transparent and easier to use.

The configuration as set through command-line flags or through the daemon.json
configuration file takes precedence over env-vars in the daemon's environment,
which allows the daemon to use a different proxy. If both command-line flags
and a daemon.json configuration option is set, an error is produced when starting
the daemon.

Note that this configuration is not "live reloadable" due to Golang's use of
`sync.Once()` for proxy configuration, which means that changing the proxy
configuration requires a restart of the daemon (reload / SIGHUP will not update
the configuration.

With this patch:

    cat /etc/docker/daemon.json
    {
        "http-proxy": "http://proxytest.example.com:80",
        "https-proxy": "https://proxytest.example.com:443"
    }

    docker pull busybox
    Using default tag: latest
    Error response from daemon: Get "https://registry-1.docker.io/v2/": proxyconnect tcp: dial tcp: lookup proxytest.example.com on 127.0.0.11:53: no such host

    docker build .
    Sending build context to Docker daemon  89.28MB
    Step 1/3 : FROM golang:1.16-alpine AS base
    Get "https://registry-1.docker.io/v2/": proxyconnect tcp: dial tcp: lookup proxytest.example.com on 127.0.0.11:53: no such host

Integration tests were added to test the behavior:

- verify that the configuration through all means are used (env-var,
  command-line flags, damon.json), and used in the expected order of
  preference.
- verify that conflicting options produce an error.

Signed-off-by: Anca Iordache <anca.iordache@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 12:38:59 +02:00
Sebastiaan van Stijn
13cff6d583
Fix race in TestCreateServiceSecretFileMode, TestCreateServiceConfigFileMode
Looks like this test was broken from the start, and fully relied on a race
condition. (Test was added in 65ee7fff02)

The problem is in the service's command: `ls -l /etc/config || /bin/top`, which
will either:

- exit immediately if the secret is mounted correctly at `/etc/config` (which it should)
- keep running with `/bin/top` if the above failed

After the service is created, the test enters a race-condition, checking for 1
task to be running (which it ocassionally is), after which it proceeds, and looks
up the list of tasks of the service, to get the log output of `ls -l /etc/config`.

This is another race: first of all, the original filter for that task lookup did
not filter by `running`, so it would pick "any" task of the service (either failed,
running, or "completed" (successfully exited) tasks).

In the meantime though, SwarmKit kept reconciling the service, and creating new
tasks, so even if the test was able to get the ID of the correct task, that task
may already have been exited, and removed (task-limit is 5 by default), so only
if the test was "lucky", it would be able to get the logs, but of course, chances
were likely that it would be "too late", and the task already gone.

The problem can be easily reproduced when running the steps manually:

    echo 'CONFIG' | docker config create myconfig -

    docker service create --config source=myconfig,target=/etc/config,mode=0777 --name myservice busybox sh -c 'ls -l /etc/config || /bin/top'

The above creates the service, but it keeps retrying, because each task exits
immediately (followed by SwarmKit reconciling and starting a new task);

    mjntpfkkyuuc1dpay4h00c4oo
    overall progress: 0 out of 1 tasks
    1/1: ready     [======================================>            ]
    verify: Detected task failure
    ^COperation continuing in background.
    Use `docker service ps mjntpfkkyuuc1dpay4h00c4oo` to check progress.

And checking the tasks for the service reveals that tasks exit cleanly (no error),
but _do exit_, so swarm just keeps up reconciling, and spinning up new tasks;

    docker service ps myservice --no-trunc
    ID                          NAME              IMAGE                                                                                    NODE             DESIRED STATE   CURRENT STATE                     ERROR     PORTS
    2wmcuv4vffnet8nybg3he4v9n   myservice.1       busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Ready           Ready less than a second ago
    5p8b006uec125iq2892lxay64    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete less than a second ago
    k8lpsvlak4b3nil0zfkexw61p    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete 6 seconds ago
    vsunl5pi7e2n9ol3p89kvj6pn    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete 11 seconds ago
    orxl8b6kt2l6dfznzzd4lij4s    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete 17 seconds ago

This patch changes the service's command to `sleep`, so that a successful task
(after successfully performing `ls -l /etc/config`) continues to be running until
the service is deleted. With that change, the service should (usually) reconcile
immediately, which removes the race condition, and should also make it faster :)

This patch changes the tests to use client.ServiceLogs() instead of using the
service's tasklist to directly access container logs. This should also fix some
failures that happened if some tasks failed to start before reconciling, in which
case client.TaskList() (with the current filters), could return more tasks than
anticipated (as it also contained the exited tasks);

    === RUN   TestCreateServiceSecretFileMode
        create_test.go:291: assertion failed: 2 (int) != 1 (int)
    --- FAIL: TestCreateServiceSecretFileMode (7.88s)
    === RUN   TestCreateServiceConfigFileMode
        create_test.go:355: assertion failed: 2 (int) != 1 (int)
    --- FAIL: TestCreateServiceConfigFileMode (7.87s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 10:55:54 +02:00
Brian Goff
27ba755f70 Fix racey TestHealthKillContainer
Before this change if you assume that things work the way the test
expects them to (it does not, but lets assume for now) we aren't really
testing anything because we are testing that a container is healthy
before and after we send a signal. This will give false positives even
if there is a bug in the underlying code. Sending a signal can take any
amount of time to cause a container to exit or to trigger healthchecks
to stop or whatever.

Now lets remove the assumption that things are working as expected,
because they are not.
In this case, `top` (which is what is running in the container) is
actually exiting when it receives `USR1`.
This totally invalidates the test.

We need more control and knowledge as to what is happening in the
container to properly test this.
This change introduces a custom script which traps `USR1` and flips the
health status each time the signal is received.
We then send the signal twice so that we know the change has occurred
and check that the value has flipped so that we know the change has
actually occurred.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-21 19:27:07 +00:00
Alexis Ries
9f39889dee Fixes #41871: Update daemon/daemon.go: resume healthcheck on restore
Call updateHealthMonitor for alive non-paused containers

Signed-off-by: Alexis Ries <alexis.ries.ext@orange.com>
2021-10-07 21:23:27 +02:00
Sebastiaan van Stijn
a826ca3aef
daemon.WithCommonOptions() fix detection of user-namespaces
Commit dae652e2e5 added support for non-privileged
containers to use ICMP_PROTO (used for `ping`). This option cannot be set for
containers that have user-namespaces enabled.

However, the detection looks to be incorrect; HostConfig.UsernsMode was added
in 6993e891d1 / ee2183881b,
and the property only has meaning if the daemon is running with user namespaces
enabled. In other situations, the property has no meaning.
As a result of the above, the sysctl would only be set for containers running
with UsernsMode=host on a daemon running with user-namespaces enabled.

This patch adds a check if the daemon has user-namespaces enabled (RemappedRoot
having a non-empty value), or if the daemon is running inside a user namespace
(e.g. rootless mode) to fix the detection.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-30 19:48:29 +02:00
Akihiro Suda
9e7bbdb9ba
Merge pull request #40084 from thaJeztah/hostconfig_const_cleanup
api/types: hostconfig: add some constants/enums and minor code cleanup
2021-08-28 00:21:31 +09:00
Eng Zer Jun
c55a4ac779
refactor: move from io/ioutil to io and os package
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-27 14:56:57 +08:00
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Sebastiaan van Stijn
8207c05cfc
Merge pull request #41479 from olljanat/ci-win-containerd-support
Windows CI: Add support for testing with containerd
2021-08-24 22:29:14 +02:00
Sebastiaan van Stijn
f68260ba22
Dockerfile: frozen images: update to bullseye, remove buildpack-dep
Update the frozen images to also be based on Debian bullseye. Using the "slim"
variant (which looks to have all we're currently using),  and remove the
buildpack-dep frozen image.

The buildpack-dep image is quite large, and it looks like we only use it to
compile some C binaries, which should work fine on a regular debian image;

    docker build -t debian:bullseye-slim-gcc -<<EOF
    FROM debian:bullseye-slim
    RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends
    EOF

    docker image ls

    REPOSITORY        TAG                 IMAGE ID       CREATED          SIZE
    debian            bullseye-slim-gcc   1851750242af   About a minute ago   255MB
    buildpack-deps    bullseye            fe8fece98de2   2 days ago           834MB

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 18:23:06 +02:00
Sebastiaan van Stijn
7e67bc067f
integration/libnetwork: make delInterface() a t.Helper()
Otherwise errors within this function will all show to be at the line
number of the utility, instead of where it failed in the test:

    === RUN   TestDaemonDefaultNetworkPools
        service_test.go:23: assertion failed:
            Command:  ip link delete docker0
            ExitCode: 127
            Error:    exec: "ip": executable file not found in $PATH
            Stdout:
            Stderr:

            Failures:
            ExitCode was 127 expected 0
            Expected no error

    === RUN   TestDaemonRestartWithExistingNetwork
        service_test.go:23: assertion failed:
            Command:  ip link delete docker0
            ExitCode: 127
            Error:    exec: "ip": executable file not found in $PATH
            Stdout:
            Stderr:

            Failures:
            ExitCode was 127 expected 0
            Expected no error

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 13:33:13 +02:00
Olli Janatuinen
1285c6d125 Windows CI: Add support for testing with containerd
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2021-08-17 07:09:40 -07:00
Sebastiaan van Stijn
002b38dc36
integration/network: remove unused CheckKernelMajorVersionGreaterOrEqualThen
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-12 09:16:21 +02:00
Sebastiaan van Stijn
8a25d752a9
integration/network: remove IsUserNamespace in favor of testenv equivalent
We're already using testenv here, so might as well use the exact same
function that it provides.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-12 09:12:04 +02:00
Sebastiaan van Stijn
f8795ed364
daemon: allow "builtin" as valid value for seccomp profiles
This allows containers to use the embedded default profile if a different
default is set (e.g. "unconfined") in the daemon configuration. Without this
option, users would have to copy the default profile to a file in order to
use the default.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-07 15:40:47 +02:00
Sebastiaan van Stijn
68e96f88ee
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined"
Commit b237189e6c implemented an option to
set the default seccomp profile in the daemon configuration. When that PR
was reviewed, it was discussed to have the option accept the path to a custom
profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966

However, in the implementation, the special "unconfined" value was not taken into
account. The "unconfined" value is meant to disable seccomp (more factually:
run with an empty profile).

While it's likely possible to achieve this by creating a file with an an empty
(`{}`) profile, and passing the path to that file, it's inconsistent with the
`--security-opt seccomp=unconfined` option on `docker run` and `docker create`,
which is both confusing, and makes it harder to use (especially on Docker Desktop,
where there's no direct access to the VM's filesystem).

This patch adds the missing check for the special "unconfined" value.

Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-07 15:40:45 +02:00
Sebastiaan van Stijn
98f0f0dd87
api/types: hostconfig: define consts for IpcMode
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-06 19:05:51 +02:00
Sebastiaan van Stijn
656a5e2bdf
Merge pull request #42559 from rvolosatovs/system_df_types
Add `type` parameter to `/system/df`
2021-08-02 21:03:05 +02:00
Roman Volosatovs
47ad2f3dd6
API,daemon: support type URL parameter to /system/df
Let clients choose object types to compute disk usage of.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-27 12:17:45 +02:00
Roman Volosatovs
a34d804572
integration: remove deprecated endpoint test
`/containers/<name>/copy` endpoint was deprecated in 1.8 and errors
since 1.12. See https://github.com/moby/moby/pull/22149 for more info.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-07-26 22:42:21 +02:00
Roman Volosatovs
dd01abf9bf
integration: copy loop variable into parallel test closures
Discovered a few instances, where loop variable is incorrectly used
within a test closure, which is marked as parallel.
Few of these were actually loops over singleton slices, therefore the issue
might not have surfaced there (yet), but it is good to fix there as
well, as this is an incorrect pattern used across different tests.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-07-22 22:46:12 +02:00
Sebastiaan van Stijn
314759dc2f
Merge pull request #42393 from aiordache/daemon_config
Daemon config validation
2021-06-23 19:32:07 +02:00
Rich Horwood
8f80e55111 Add configuration validation option and tests.
Fixes #36911

If config file is invalid we'll exit anyhow, so this just prevents
the daemon from starting if the configuration is fine.

Mainly useful for making config changes and restarting the daemon
iff the config is valid.

Signed-off-by: Rich Horwood <rjhorwood@apple.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
2021-06-23 09:54:55 +00:00
Sebastiaan van Stijn
2773f81aa5
Merge pull request #42445 from thaJeztah/bump_golang_ci
[testing] ~update~ fix linting issues found by golangci-lint v1.40.1
2021-06-16 22:15:01 +02:00
Sebastiaan van Stijn
dc7cbb9b33
remove layerstore indexing by OS (used for LCOW)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 17:49:11 +02:00
Sebastiaan van Stijn
bb17074119
reformat "nolint" comments
Unlike regular comments, nolint comments should not have a leading space.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 13:03:42 +02:00
Sebastiaan van Stijn
7c91fd4240
unused: ignore false positives
integration/build/build_session_test.go:92:6: func `testBuildWithSession` is unused (unused)
    func testBuildWithSession(t *testing.T, client dclient.APIClient, daemonHost string, dir, dockerfile string) (outStr string) {
         ^
    integration/container/checkpoint_test.go:23:6: func `containerExec` is unused (unused)
    func containerExec(t *testing.T, client client.APIClient, cID string, cmd []string) {
         ^
    integration/network/service_test.go:295:6: func `swarmIngressReady` is unused (unused)
    func swarmIngressReady(client client.NetworkAPIClient) func(log poll.LogT) poll.Result {
         ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 13:03:32 +02:00
Sebastiaan van Stijn
f77213efc2
gosimple: S1039: unnecessary use of fmt.Sprintf
pkg/devicemapper/devmapper.go:383:28: S1039: unnecessary use of fmt.Sprintf (gosimple)
        if err := task.setMessage(fmt.Sprintf("@cancel_deferred_remove")); err != nil {
                                  ^
    integration/plugin/graphdriver/external_test.go:321:18: S1039: unnecessary use of fmt.Sprintf (gosimple)
                http.Error(w, fmt.Sprintf("missing id"), 409)
                              ^
    integration-cli/docker_api_stats_test.go:70:31: S1039: unnecessary use of fmt.Sprintf (gosimple)
            _, body, err := request.Get(fmt.Sprintf("/info"))
                                        ^
    integration-cli/docker_cli_build_test.go:4547:19: S1039: unnecessary use of fmt.Sprintf (gosimple)
                "--build-arg", fmt.Sprintf("FOO1=fromcmd"),
                               ^
    integration-cli/docker_cli_build_test.go:4548:19: S1039: unnecessary use of fmt.Sprintf (gosimple)
                "--build-arg", fmt.Sprintf("FOO2="),
                               ^
    integration-cli/docker_cli_build_test.go:4549:19: S1039: unnecessary use of fmt.Sprintf (gosimple)
                "--build-arg", fmt.Sprintf("FOO3"), // set in env
                               ^
    integration-cli/docker_cli_build_test.go:4668:32: S1039: unnecessary use of fmt.Sprintf (gosimple)
            cli.WithFlags("--build-arg", fmt.Sprintf("tag=latest")))
                                         ^
    integration-cli/docker_cli_build_test.go:4690:32: S1039: unnecessary use of fmt.Sprintf (gosimple)
            cli.WithFlags("--build-arg", fmt.Sprintf("baz=abc")))
                                         ^
    pkg/jsonmessage/jsonmessage_test.go:255:4: S1039: unnecessary use of fmt.Sprintf (gosimple)
                fmt.Sprintf("ID: status\n"),
                ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 13:03:27 +02:00
Sebastiaan van Stijn
ef4d473401
Merge pull request #42028 from thaJeztah/fix_duplicate_volume_event
volumes: only send "create" event when actually creating volume
2021-06-09 12:01:21 +02:00
Sebastiaan van Stijn
a6e51a7aee
Merge pull request #42391 from thaJeztah/nomod
Disable go modules when compiling binaries used in tests
2021-05-20 21:19:40 +02:00
Sebastiaan van Stijn
7070df3a3e
integration: ensurePlugin: disable go modules when building plugin
=== RUN   TestServicePlugin
        plugin_test.go:42: assertion failed: error is not nil: error building basic plugin bin: no required module provides package github.com/docker/docker/testutil/fixtures/plugin/basic: go.mod file not found in current directory or any parent directory; see 'go help modules'
            : exit status 1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 09:51:33 +02:00
Sebastiaan van Stijn
fe54215fb3
Update test certificates
Updates the certificates to account for current versions of Go expecting
SANs to be used instead of the Common Name field:

    FAIL: s390x.integration.plugin.authz TestAuthZPluginTLS (0.53s)
    [2020-07-26T09:36:58.638Z]     authz_plugin_test.go:132: assertion failed:
        error is not nil: error during connect: Get "https://localhost:4271/v1.41/version":
        x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 09:43:21 +02:00
Akihiro Suda
2f0d6664a1 integration: remove KernelMemory tests
Starting with runc v1.0.0-rc94, runc no longer supports KernelMemory.

52390d6804

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-05-11 23:33:33 +08:00
Sebastiaan van Stijn
e5ae83e503
volumes: only send "create" event when actually creating volume
The VolumesService did not have information wether or not a volume
was _created_ or if a volume already existed in the driver, and
the existing volume was used.

As a result, multiple "create" events could be generated for the
same volume. For example:

1. Run `docker events` in a shell to start listening for events
2. Create a volume:

    docker volume create myvolume

3. Start a container that uses that volume:

    docker run -dit -v myvolume:/foo busybox

4. Check the events that were generated:

    2021-02-15T18:49:55.874621004+01:00 volume create myvolume (driver=local)
    2021-02-15T18:50:11.442759052+01:00 volume create myvolume (driver=local)
    2021-02-15T18:50:11.487104176+01:00 container create 45112157c8b1382626bf5e01ef18445a4c680f3846c5e32d01775dddee8ca6d1 (image=busybox, name=gracious_hypatia)
    2021-02-15T18:50:11.519288102+01:00 network connect a19f6bb8d44ff84d478670fa4e34c5bf5305f42786294d3d90e790ac74b6d3e0 (container=45112157c8b1382626bf5e01ef18445a4c680f3846c5e32d01775dddee8ca6d1, name=bridge, type=bridge)
    2021-02-15T18:50:11.526407799+01:00 volume mount myvolume (container=45112157c8b1382626bf5e01ef18445a4c680f3846c5e32d01775dddee8ca6d1, destination=/foo, driver=local, propagation=, read/write=true)
    2021-02-15T18:50:11.864134043+01:00 container start 45112157c8b1382626bf5e01ef18445a4c680f3846c5e32d01775dddee8ca6d1 (image=busybox, name=gracious_hypatia)

5. Notice that a "volume create" event is created twice;

    - once when `docker volume create` was ran
    - once when `docker run ...` was ran

This patch moves the generation of (most) events to the volume _store_, and only
generates an event if the volume did not yet exist.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-05 16:02:22 +02:00
Olli Janatuinen
bffa730860 Prepare tests for Windows containerd support
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2021-04-22 10:50:00 +03:00
Sebastiaan van Stijn
95bb41ae95
Merge pull request #42210 from cpuguy83/plugin_layer_mediatype
Use docker media type for plugin layers
2021-04-06 17:22:05 +02:00
Akihiro Suda
c8ff7305f6
Merge pull request #41893 from AkihiroSuda/fix-41457
rootless: support --pid=host
2021-04-06 14:30:40 +09:00
Brian Goff
a876ede24f Use docker media type for plugin layers
This was changed as part of a refactor to use containerd dist code. The
problem is the OCI media types are not compatible with older versions of
Docker.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-04-05 21:46:53 +00:00
Brian Goff
dd14dbd53d
Merge pull request #42251 from thaJeztah/fix_testinspect
Fix flaky TestInspect
2021-04-05 10:18:19 -07:00
Sebastiaan van Stijn
00cb3073f4
Fix flaky TestInspect
This test has been flaky for a long time, failing with:

    --- FAIL: TestInspect (12.04s)
        inspect_test.go:39: timeout hit after 10s: waiting for tasks to enter run state. task failed with error: task: non-zero exit (1)

While looking through logs, noticed tasks were started, entering RUNNING stage,
and then exited, to be started again.

    state.transition="STARTING->RUNNING"
    ...
    msg="fatal task error" error="task: non-zero exit (1)"
    ...
    state.transition="RUNNING->FAILED"

Looking for possible reasons, first considering network issues (possibly we ran
out of IP addresses or networking not cleaned up), then I spotted the issue.

The service is started with;

    Command:         []string{"/bin/top"},
    Args:            []string{"-u", "root"},

The `-u root` is not an argument for the service, but for `/bin/top`. While the
Ubuntu/Debian/GNU version `top` has a -u/-U option;

    docker run --rm ubuntu:20.04 top -h 2>&1 | grep '\-u'
      top -hv | -bcEHiOSs1 -d secs -n max -u|U user -p pid(s) -o field -w [cols]

The *busybox* version of top does not:

    docker run --rm busybox top --help 2>&1 | grep '\-u'

So running `top -u root` would cause the task to fail;

    docker run --rm busybox top -u root
    top: invalid option -- u
    ...

    echo $?
    1

As a result, the service went into a crash-loop, and because the `poll.WaitOn()`
was running with a short interval, in many cases would _just_ find the RUNNING
state, perform the `service inspect`, and pass, but in other cases, it would not
be that lucky, and continue polling untill we reached the 10 seconds timeout,
and mark the test as failed.

Looking for history of this option (was it previously using a different image?) I
found this was added in 6cd6d8646a, but probably
just missed during review.

Given that the option is only set to have "something" to inspect, I replaced
the `-u root` with `-d 5`, which makes top refresh with a 5 second interval.

Note that there is another test (`TestServiceListWithStatuses) that uses the same
spec, however, that test is skipped based on API version of the test-daemon, and
(to be looked into), when performing that check, no API version is known, causing
the test to (always?) be skipped:

    === RUN   TestServiceListWithStatuses
        --- SKIP: TestServiceListWithStatuses (0.00s)
            list_test.go:34: versions.LessThan(testEnv.DaemonInfo.ServerVersion, "1.41")

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-03 19:26:56 +02:00
Sebastiaan van Stijn
97a5b797b6
Use designated test domains (RFC2606) in tests
Some tests were using domain names that were intended to be "fake", but are
actually registered domain names (such as domain.com, registry.com, mytest.com).

Even though we were not actually making connections to these domains, it's
better to use domains that are designated for testing/examples in RFC2606:
https://tools.ietf.org/html/rfc2606

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 14:06:27 +02:00
Sebastiaan van Stijn
f845b98ca6
integration: update getExternalAddress to prefer IPv4
Rootlesskit doesn't currently handle IPv6 addresses, causing TestNetworkLoopbackNat
and TestNetworkNat to fail;

    Error starting userland proxy:
    error while calling PortManager.AddPort(): listen tcp: address :::8080: too many colons in address

This patch:

- Updates `getExternalAddress()` to pick IPv4 address if both IPv6 and IPv4 are found
- Update TestNetworkNat to net.JoinHostPort(), so that square brackets are used for
  IPv6 addresses (e.g. `[::]:8080`)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-22 11:51:07 +01:00
Sebastiaan van Stijn
54ca929a70
integration/container: wrap some long lines for readability
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-22 11:08:07 +01:00
Brian Goff
546c33cede
Merge pull request #41989 from alexisries/docker-dind-integration-test-fix-subnet-missmatch
Update TestDaemonRestartWithLiveRestore: fix docker0 subnet missmatch
2021-02-17 10:35:50 -08:00
Brian Goff
3d96682687
Merge pull request #41936 from thaJeztah/fix_image_reference 2021-02-16 09:39:19 -08:00
Sebastiaan van Stijn
fa480403c7
TestBuildUserNamespaceValidateCapabilitiesAreV2: verify build completed
Check if the `docker build` completed successfully before continuing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-15 16:08:40 +01:00
Sebastiaan van Stijn
26965fbfa0
TestBuildUserNamespaceValidateCapabilitiesAreV2: use correct image name
This currently doesn't make a difference, because load.FrozenImagesLinux()
currently loads all frozen images, not just the specified one, but in case
that is fixed/implemented at some point.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-15 14:02:41 +01:00
Alexis Ries
96e103feb1 Update TestDaemonRestartWithLiveRestore: fix docker0 subnet missmatch
Fix docker0 subnet missmatch when running from docker in docker (dind)

Signed-off-by: Alexis Ries <ries.alexis@gmail.com>
2021-02-05 18:55:21 +01:00
Akihiro Suda
227687f2ef
rootless: support --pid=host
Fix #41457

related: https://github.com/containers/podman/blob/v3.0.0-rc1/pkg/specgen/generate/oci.go#L248-L257

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-01 14:55:18 +09:00
Akihiro Suda
7994443c15
integration: port TestRunModePIDHost from CLI test to API test
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-01 14:54:07 +09:00
Akihiro Suda
c316dd7cc5
TestInspectOomKilledTrue: skip on cgroup v2
The test fails intermittently on cgroup v2.

```
=== FAIL: amd64.integration.container TestInspectOomKilledTrue (0.53s)
    kill_test.go:171: assertion failed: true (true bool) != false (inspect.State.OOMKilled bool)
```

Tracked in issue 41929

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-01-29 16:05:15 +09:00
Brian Goff
35c2d1cd3c
Merge pull request #41917 from AkihiroSuda/fix-cgroup2-tests
TestCgroupNamespacesRunOlderClient: support cgroup v2
2021-01-28 11:54:28 -08:00
Sebastiaan van Stijn
f266f13965
Merge pull request #41636 from TBBle/37352-test-and-fix
Set 127GB default sandbox size for WCOW, and ensure storage-opts is honoured on all paths under WCOW and LCOW
2021-01-25 14:34:34 +01:00
Akihiro Suda
ec416c51b7
TestCgroupNamespacesRunOlderClient: support cgroup v2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-01-22 16:17:47 +09:00
Sebastiaan van Stijn
d5612a0ef8
Merge pull request #41854 from cpuguy83/for-linux-1169-plugins-custom-runtime-panic
Add shim config for custom runtimes for plugins
2021-01-21 16:26:36 +01:00
Brian Goff
2903863a1d Add shim config for custom runtimes for plugins
This fixes a panic when an admin specifies a custom default runtime,
when a plugin is started the shim config is nil.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-14 19:28:28 +00:00
Sebastiaan van Stijn
41e5d459f1
Merge pull request #41865 from thaJeztah/load_frozen_images
integration: fix TestBuildUserNamespaceValidateCapabilitiesAreV2 not using frozen image
2021-01-13 18:50:22 +01:00
Akihiro Suda
327daef5c1
Merge pull request #41724 from EricMountain/dishonoured-capabilities
Use v2 capabilities in layer archives
2021-01-13 15:54:29 +09:00
Sebastiaan van Stijn
46dfc31342
integration: fix TestBuildUserNamespaceValidateCapabilitiesAreV2 not using frozen image
Commit f2f5106c92 added this test to verify loading
of images that were built with user-namespaces enabled.

However, because this test spins up a new daemon, not the daemon that's set up by
the test-suite's `TestMain()` (which loads the frozen images).

As a result, the `debian:bullseye` image was pulled from Docker Hub when running
the test;

    Calling POST /v1.41/images/load?quiet=1
    Applying tar in /go/src/github.com/docker/docker/bundles/test-integration/TestBuildUserNamespaceValidateCapabilitiesAreV2/d4d366b15997b/root/165536.165536/overlay2/3f7f9375197667acaf7bc810b34689c21f8fed9c52c6765c032497092ca023d6/diff" storage-driver=overlay
    Applied tar sha256:845f0e5159140e9dbcad00c0326c2a506fbe375aa1c229c43f082867d283149c to 3f7f9375197667acaf7bc810b34689c21f8fed9c52c6765c032497092ca023d6, size: 5922359
    Calling POST /v1.41/build?buildargs=null&cachefrom=null&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=&labels=null&memory=0&memswap=0&networkmode=&rm=0&shmsize=0&t=capabilities%3A1.0&target=&ulimits=null&version=
    Trying to pull debian from https://registry-1.docker.io v2
    Fetching manifest from remote" digest="sha256:f169dbadc9021fc0b08e371d50a772809286a167f62a8b6ae86e4745878d283d" error="<nil>" remote="docker.io/library/debian:bullseye
    Pulling ref from V2 registry: debian:bullseye
    ...

This patch updates `TestBuildUserNamespaceValidateCapabilitiesAreV2` to load the
frozen image. `StartWithBusybox` is also changed to `Start`, because the test
is not using the busybox image, so there's no need to load it.

In a followup, we should probably add some utilities to make this easier to set up
(and to allow passing the list frozen images that we want to load, without having
to "hard-code" the image name to load).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-08 13:25:21 +01:00
Brian Goff
e6591a9c7a Make test work with rootless mode
Using `d.Kill()` with rootless mode causes the restarted daemon to not
be able to start containerd (it times out).

Originally this was SIGKILLing the daemon because we were hoping to not
have to manipulate on disk state, but since we need to anyway we can
shut it down normally.

I also tested this to ensure the test fails correctly without the fix
that the test was added to check for.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-05 00:25:33 +00:00
Tibor Vass
ffc4dc9aec
Merge pull request #41817 from simonferquel/desktop-startup-hang
Fix a potential hang when starting after a non-clean shutdown
2020-12-23 23:22:00 -08:00
Brian Goff
4a175fd050 Cleanup container shutdown check and add test
Adds a test case for the case where dockerd gets stuck on startup due to
hanging `daemon.shutdownContainer`

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-12-23 16:59:03 +00:00
Eric Mountain
95eb490780
Use v2 capabilities in layer archives
When building images in a user-namespaced container, v3 capabilities are
stored including the root UID of the creator of the user-namespace.

This UID does not make sense outside the build environment however. If
the image is run in a non-user-namespaced runtime, or if a user-namespaced
runtime uses a different UID, the capabilities requested by the effective
bit will not be honoured by `execve(2)` due to this mismatch.

Instead, we convert v3 capabilities to v2, dropping the root UID on the
fly.

Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
2020-12-23 14:16:41 +01:00
Eric Mountain
f2f5106c92
Add a test for #41723
Capabilities are serialised in VFS_CAP_REVISION_3 when an image is
built in a user-namespaced daemon, instead of VFS_CAP_REVISION_2.

This adds a test for this, though it's currently wired to fail if
the capabilities are serialised in VFS_CAP_REVISION_2 instead in this
situation, since this is unexpected.

Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
2020-12-18 07:51:44 +01:00
Sebastiaan van Stijn
2680a0fe2c
Networking: add regression test for networks endpoint with trailing slash
This adds a regression test for https://github.com/moby/moby/issues/24595

    make DOCKER_GRAPHDRIVER=vfs TEST_FILTER='TestNetworkList' test-integration

    INFO: Testing against a local daemon
    === RUN   TestNetworkList
    === RUN   TestNetworkList//networks
    === PAUSE TestNetworkList//networks
    === RUN   TestNetworkList//networks/
    === PAUSE TestNetworkList//networks/
    === CONT  TestNetworkList//networks
    === CONT  TestNetworkList//networks/
    --- PASS: TestNetworkList (0.05s)
        --- PASS: TestNetworkList//networks/ (0.01s)
        --- PASS: TestNetworkList//networks (0.01s)
    PASS

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-11-30 12:34:24 +01:00
Paul "TBBle" Hampson
1571e9331b Use specific APIs for shared mount-point behaviour
Thanks to @cpuguy83 for pointing these APIs out in #41638.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 20:00:48 +11:00
Paul "TBBle" Hampson
695b151a18 Work around small disk on Windows-RS5 CI nodes
The free disk space on the Windows RS5 CI nodes appears to be just the
right size that the TestBuildWCOWSandboxSize test can generate 21GB of
layers, and then a 21GB sandbox inside a container, and then runs out of
space while committing the layer.

Helpfully, this failure is distinguishable in the logs from a failure
when the sandbox is too small, so we can do that.

TODO: Revert this if-and-when the Windows-RS5 CI nodes have more free
space.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 19:51:46 +11:00
Paul "TBBle" Hampson
142b2b785b Add TestBuildWCOWSandboxSize integration test
This test validates that `RUN` and `COPY` both target a read-write
sandbox on Windows that is configured according to the daemon's
`storage-opts` setting.

Sadly, this is a slow test, so we need to bump the timeout to 60 minutes
from the default of 10 minutes.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 19:51:46 +11:00
Paul "TBBle" Hampson
7ba05f2b2b Rewrite VolumesMountedAsShared/Slave as Integration tests
This moves the two tests from integration-CLI to integration.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-08 23:15:15 +11:00
Brian Goff
88c0271605 Don't set default platform on container create
This fixes a regression based on expectations of the runtime:

```
docker pull arm32v7/alpine
docker run arm32v7/alpine
```

Without this change, the `docker run` will fail due to platform
matching on non-arm32v7 systems, even though the image could run
(assuming the system is setup correctly).

This also emits a warning to make sure that the user is aware that a
platform that does not match the default platform of the system is being
run, for the cases like:

```
docker pull --platform armhf busybox
docker run busybox
```

Not typically an issue if the requests are done together like that, but
if the image was already there and someone did `docker run` without an
explicit `--platform`, they may very well be expecting to run a native
version of the image instead of the armhf one.

This warning does add some extra noise in the case of platform specific
images being run, such as `arm32v7/alpine`, but this can be supressed by
explicitly setting the platform.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-10-20 20:17:23 +00:00
Tibor Vass
29b149ebb1
Merge pull request #41430 from TBBle/40444-update-gowinio-for-8gB-file-fix
Revendor Microsoft/go-winio for 8gB file fix when importing or committing image layers
2020-09-24 11:16:10 -07:00
Olli Janatuinen
66a37b460c Windows: Enable more integration tests
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2020-09-20 22:09:27 +03:00
Paul "TBBle" Hampson
2dd9faaa16 Enable TestBuildWithHugeFile on Windows
This reproduces #40444, based on a suggestion from GitHub user @marosset

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-09-19 23:13:44 +10:00
limeidan
2344b3a9e1 fix integration test case TestExternalGraphDriver failed in mips arch
Signed-off-by: limeidan <limeidan@loongson.cn>
2020-09-15 10:04:00 +08:00
Brian Goff
bf6f0d82bc
Merge pull request #41360 from lzhfromustc/GL_5
Builder: Add 1 buffer to two channels to avoid blocking goroutine
2020-09-12 21:43:05 -07:00
Sebastiaan van Stijn
5ca758199d
replace pkg/locker with github.com/moby/locker
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 22:15:40 +02:00
lzhfromustc
d1c2f953c5 Test: Add buffer to two channels to avoid blocking goroutine
Signed-off-by: Ziheng Liu <lzhfromustc@gmail.com>
2020-08-27 18:53:43 -04:00
Brian Goff
24f173a003 Replace service "Capabilities" w/ add/drop API
After dicussing with maintainers, it was decided putting the burden of
providing the full cap list on the client is not a good design.
Instead we decided to follow along with the container API and use cap
add/drop.

This brings in the changes already merged into swarmkit.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-07-27 10:09:42 -07:00
Sebastiaan van Stijn
06832a702d
Merge pull request #41065 from AkihiroSuda/cgroup2-ci
test-integration: support cgroup2
2020-07-16 16:55:47 +02:00
wanghuaiqing
228d74842f Upgrading the versions of images in Dockerfile.
In order to run tests at mips64el device.
Now official-images has supported the following images for mips64el.
buildpack-deps:stretch
buildpack-deps:buster
debian:stretch
debian:buster

But official-images does not support the following images for mips64el.
debian:jessie
buildpack-deps:jessie

Signed-off-by: wanghuaiqing <wanghuaiqing@loongson.cn>
2020-06-30 12:24:06 +08:00
Sebastiaan van Stijn
3258d565cf
Fix status code for missing --volumes-from container
If the container specified in `--volumes-from` did not exist, the
API returned a 404 status, which was interpreted by the CLI as the
specified _image_ to be missing (even if that was not the case).

This patch changes these error to return a 400 (bad request);

Before this change:

    # make sure the image is present
    docker pull busybox
    docker create --volumes-from=nosuchcontainer busybox
    # Unable to find image 'busybox:latest' locally
    # latest: Pulling from library/busybox
    # Digest: sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209
    # Status: Image is up to date for busybox:latest
    # Error response from daemon: No such container: nosuchcontainer

After this change:

    # make sure the image is present
    docker pull busybox
    docker create --volumes-from=nosuchcontainer busybox
    # Error response from daemon: No such container: nosuchcontainer

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-29 13:28:14 +02:00
Akihiro Suda
ed89041433
test-integration: support cgroup2
Usage: DOCKER_BUILD_ARGS="--build-arg CONTAINERD_COMMIT=master --build-arg RUNC_COMMIT=master" DOCKER_EXPERIMENTAL=1 TEST_SKIP_INTEGRATION_CLI=1 make test-integration

Depends on containerd master (v1.4) and runc master (v1.0.0-rc91).

Currently `TEST_SKIP_INTEGRATION_CLI=1` must be specified.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-22 14:17:45 +09:00
Sebastiaan van Stijn
87b8947580
TestDaemonDNSFallback: increase timeout to reduce flakiness
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-18 10:10:30 +02:00
Brian Goff
7fa2026620
Merge pull request #40938 from thaJeztah/move_pidslimit
API: swarm: move PidsLimit to TaskTemplate.Resources
2020-06-11 12:04:44 -07:00
Sebastiaan van Stijn
687bdc7c71
API: swarm: move PidsLimit to TaskTemplate.Resources
The initial implementation followed the Swarm API, where
PidsLimit is located in ContainerSpec. This is not the
desired place for this property, so moving the field to
TaskTemplate.Resources in our API.

A similar change should be made in the SwarmKit API (likely
keeping the old field for backward compatibility, because
it was merged some releases back)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-05 12:50:38 +02:00
Kir Kolyshkin
9b77370213 int/build/TestBuildWithEmptyLayers: prevent panic
The test case panics like that:

> build_test.go:381: assertion failed: 3 (int) != 1 (int)
> panic: runtime error: index out of range [2] with length 1 [recovered]
> panic: runtime error: index out of range [2] with length 1

The fix is trivial.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-06-04 11:22:04 -07:00
Tibor Vass
9a78e916ad integration: Add TestDaemonDNSFallback
Signed-off-by: Tibor Vass <tibor@docker.com>
2020-05-28 04:30:51 +00:00
Tibor Vass
5c10ea6ae8
Merge pull request #40725 from cpuguy83/check_img_platform
Accept platform spec on container create
2020-05-21 11:33:27 -07:00
Cristina Yenyxe Gonzalez Garcia
0154dc7a23 Using test names instead of hardcoded ones in integration/image directory
Signed-off-by: Cristina Yenyxe Gonzalez Garcia <cristina.yenyxe@gmail.com>
2020-05-18 16:37:09 +01:00
Cristina Yenyxe Gonzalez Garcia
4cabad6bae Using test names instead of hardcoded ones in integration/container directory
Signed-off-by: Cristina Yenyxe Gonzalez Garcia <cristina.yenyxe@gmail.com>
2020-05-18 16:37:04 +01:00
Cristina Yenyxe Gonzalez Garcia
6bc112abde Fixed small documentation typo
Signed-off-by: Cristina Yenyxe Gonzalez Garcia <cristina.yenyxe@gmail.com>
2020-05-18 16:36:53 +01:00
Cristina Yenyxe Gonzalez Garcia
ebd025b63a Using test names instead of hardcoded ones in integration/build directory
Signed-off-by: Cristina Yenyxe Gonzalez Garcia <cristina.yenyxe@gmail.com>
2020-05-18 16:36:23 +01:00
Sebastiaan van Stijn
0fc914de5c
Merge pull request #40595 from sfzhu93/GL_2_25
[integration] add buffer to prevent goroutine leak
2020-05-08 16:00:52 +02:00
Akihiro Suda
33ee7941d4 support --privileged --cgroupns=private on cgroup v1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-04-21 23:11:32 +09:00
Akihiro Suda
ba8129b28a
Merge pull request #39946 from cpuguy83/plugins_use_containerd_dist
Replace plugin distribution code w/ containerd
2020-04-21 10:03:16 +09:00
Sebastiaan van Stijn
c8e31dc2f2
Merge pull request #39882 from thaJeztah/swarm_pids_limit
Add API support for PidsLimit on services
2020-04-16 21:02:30 +02:00
Sebastiaan van Stijn
54d88a7cd3
Merge pull request #40478 from cpuguy83/dont-prime-the-stats
Add stats options to not prime the stats
2020-04-16 20:57:06 +02:00
Sebastiaan van Stijn
157c53c8e0
Add API support for PidsLimit on services
Support for PidsLimit was added to SwarmKit in docker/swarmkit/pull/2415,
but never exposed through the Docker remove API.

This patch exposes the feature in the repote API.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-15 22:37:42 +02:00
Brian Goff
eac618caaa
Merge pull request #39771 from thaJeztah/cleanup_TestTemplatedConfig
Integration: fix various issues in "config" and "secret" tests
2020-04-15 10:35:33 -07:00
Sebastiaan van Stijn
cdc39fa29c
integration/config: add check for removing non-existing config
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:38 +02:00
Sebastiaan van Stijn
1a7ffe4fe4
integration/secret: add check for empty list not producing an error
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:36 +02:00
Sebastiaan van Stijn
632cc7019a
integration/config: remove check that was already done in TestConfigInspect
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:34 +02:00
Sebastiaan van Stijn
26f2eddaa3
integration/config: combine TestConfigCreateWithLabels with TestConfigsCreateAndDelete
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:29 +02:00
Sebastiaan van Stijn
3c4b258f21
integration/secret: don't string-match errors
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:26 +02:00
Sebastiaan van Stijn
18cae89436
integration/config: don't string-match errors
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:24 +02:00
Sebastiaan van Stijn
348f412d85
integration: sync minor changes between config and secret tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:22 +02:00
Sebastiaan van Stijn
a45c89ecd1
integration/secret: fix TestSecretInspect not actually checking response
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:21 +02:00
Sebastiaan van Stijn
25424cf772
integration/config: move functions to be in line with "secret" tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:19 +02:00
Sebastiaan van Stijn
3c6f018f94
integration/secret: TestTemplatedSecret: simplify task code
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:17 +02:00
Sebastiaan van Stijn
de78663181
integration/secret: rename variables that collided with imported package name
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:15 +02:00
Sebastiaan van Stijn
dd67b4794e
integration/config: TestTemplatedConfig: simplify task code
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:13 +02:00
Sebastiaan van Stijn
ec78112edd
integration/config: rename variables that collided with imported package name
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 18:31:11 +02:00
Brian Goff
ced91bee4b On startup, actually shutdown the container.
When a container is left running after the daemon exits (e.g. the daemon
is SIGKILL'd or crashes), it should stop any running containers when the
daemon starts back up.

What actually happens is the daemon only sends the container's
configured stop signal and does not check if it has exited.
If the container does not actually exit then it is left running.

This fixes this unexpected behavior by calling the same function to shut
down the container that the daemon shutdown process does.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-04-13 14:20:12 -07:00
Brian Goff
d7ba1f85ef Use containerd dist libs for plugin pull/pull
This removes the use of the old distribution code in the plugin packages
and replaces it with containerd libraries for plugin pushes and pulls.

Additionally it uses a content store from containerd which seems like
it's compatible with the old "basicBlobStore" in the plugin package.
This is being used locally isntead of through the containerd client for
now.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-04-02 15:03:06 -07:00
Sebastiaan van Stijn
af0415257e
Merge pull request #40694 from kolyshkin/moby-sys-mount-part-II
switch to moby/sys/{mount,mountinfo} part II
2020-04-02 21:52:21 +02:00
Brian Goff
7a9cb29fb9 Accept platform spec on container create
This enables image lookup when creating a container to fail when the
reference exists but it is for the wrong platform. This prevents trying
to run an image for the wrong platform, as can be the case with, for
example binfmt_misc+qemu.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-03-20 16:10:36 -07:00
Kir Kolyshkin
39048cf656 Really switch to moby/sys/mount*
Switch to moby/sys/mount and mountinfo. Keep the pkg/mount for potential
outside users.

This commit was generated by the following bash script:

```
set -e -u -o pipefail

for file in $(git grep -l 'docker/docker/pkg/mount"' | grep -v ^pkg/mount); do
	sed -i -e 's#/docker/docker/pkg/mount"#/moby/sys/mount"#' \
		-e 's#mount\.\(GetMounts\|Mounted\|Info\|[A-Za-z]*Filter\)#mountinfo.\1#g' \
		$file
	goimports -w $file
done
```

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-20 09:46:25 -07:00
Akihiro Suda
5e1b246b9a test-integration: support more rootless tests
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-16 17:37:38 +09:00
Akihiro Suda
5bf33adba2 hack: support $DOCKER_ROOTLESS for testing rootless
```
$ DOCKER_EXPERIMENTAL=1 DOCKER_ROOTLESS=1 TEST_SKIP_INTEGRATION_CLI=1 \
 make test-integration
```

test-integration-cli is unsupported currently.
Also, tests that spawn custom daemon (testutil/daemon) are skipped.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-10 05:49:45 +09:00
Arko Dasgupta
2e0762ae44
Add TC for com.docker.network.host_ipv4 label
This PR adds a testcase for the com.docker.network.host_ipv4
label commited via https://github.com/docker/libnetwork/pull/2454

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-03-09 18:51:19 +01:00
Sebastiaan van Stijn
e1710b42d3
vendor: bump libnetwork bf2bd42abc0a3734f12b5ec724e571434e42c669
full diff: 264bffcb88...bf2bd42abc

relevant changes:

- docker/libnetwork#2407 Macvlan internal network should not change default gateway
    - fixes docker/libnetwork#2406 Internal macvlan network overrides default gateway
- vendor godbus/dbus v5
- Fix InhibitIPv4 nil panic
- Cleanup VFP during overlay network removal
    - fixes VFP leak in windows overlay network deletion

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-07 00:35:47 +01:00
Akihiro Suda
3fbc41fe36 TestCgroupDriverSystemdMemoryLimit: fix failure
The test was failing:

  --- FAIL: TestCgroupDriverSystemdMemoryLimit (1.76s)
      cgroupdriver_systemd_test.go:54: assertion failed: 67108864 (s.HostConfig.Memory int64) != 67108864 (mem int)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-03 11:30:55 +09:00
Brian Goff
ce1ceeb257 Add stats options to not prime the stats
Metrics collectors generally don't need the daemon to prime the stats
with something to compare since they already have something to compare
with.
Before this change, the API does 2 collection cycles (which takes
roughly 2s) in order to provide comparison for CPU usage over 1s. This
was primarily added so that `docker stats --no-stream` had something to
compare against.

Really the CLI should have just made a 2nd call and done the comparison
itself rather than forcing it on all API consumers.
That ship has long sailed, though.

With this change, clients can set an option to just pull a single stat,
which is *at least* a full second faster:

Old:
```
time curl --unix-socket
/go/src/github.com/docker/docker/bundles/test-integration-shell/docker.sock
http://./containers/test/stats?stream=false\&one-shot=false > /dev/null
2>&1

real0m1.864s
user0m0.005s
sys0m0.007s

time curl --unix-socket
/go/src/github.com/docker/docker/bundles/test-integration-shell/docker.sock
http://./containers/test/stats?stream=false\&one-shot=false > /dev/null
2>&1

real0m1.173s
user0m0.010s
sys0m0.006s
```

New:
```
time curl --unix-socket
/go/src/github.com/docker/docker/bundles/test-integration-shell/docker.sock
http://./containers/test/stats?stream=false\&one-shot=true > /dev/null
2>&1
real0m0.680s
user0m0.008s
sys0m0.004s

time curl --unix-socket
/go/src/github.com/docker/docker/bundles/test-integration-shell/docker.sock
http://./containers/test/stats?stream=false\&one-shot=true > /dev/null
2>&1

real0m0.156s
user0m0.007s
sys0m0.007s
```

This fixes issues with downstreams ability to use the stats API to
collect metrics.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-02-28 09:54:37 -08:00
Ziheng Liu
c322af8019 test: add buffer to prevent goroutine leak
Signed-off-by: Ziheng Liu <lzhfromustc@gmail.com>
2020-02-27 21:37:26 -05:00
Sebastiaan van Stijn
39679991f4
Merge pull request #40543 from SamWhited/upstream_logging
Upstream logging changes from Enterprise Edition
2020-02-27 13:54:14 +01:00
Akihiro Suda
26e6708ccf
Merge pull request #40475 from cpuguy83/fix_client_exec_type_id
Exec inspect field should be "ID" not "ExecID"
2020-02-26 19:11:33 +09:00
Sam Whited
a6f99232f5 Always execute tests and skip in tests themselves
See issue #40193

Signed-off-by: Sam Whited <sam@samwhited.com>
2020-02-21 14:31:01 -05:00
Brian Goff
750f0d1648 Support configuration of log cacher.
Configuration over the API per container is intentionally left out for
the time being, but is supported to configure the default from the
daemon config.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit cbecf48bc352e680a5390a7ca9cff53098cd16d7)
Signed-off-by: Madhu Venugopal <madhu@docker.com>
2020-02-19 17:02:34 -05:00
Brian Goff
e2ceb83a53 Support reads for all log drivers.
This supplements any log driver which does not support reads with a
custom read implementation that uses a local file cache.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit d675e2bf2b75865915c7a4552e00802feeb0847f)
Signed-off-by: Madhu Venugopal <madhu@docker.com>
2020-02-19 17:01:44 -05:00
Sebastiaan van Stijn
58c2615208
Merge pull request #40497 from arkodg/fix-bip-subnet-config
Set the bip network value as the subnet
2020-02-12 12:41:29 +01:00
Sebastiaan van Stijn
562880b276
Fix more goimports
```
daemon/logger/splunk/splunk_test.go:33: File is not `goimports`-ed (goimports)
        envKey:      "a",
        envRegexKey: "^foo",
        labelsKey:   "b",
        tagKey:      "c",
integration/build/build_test.go:41: File is not `goimports`-ed (goimports)
            rm:      false,
            forceRm: false,
integration/image/remove_unix_test.go:49: File is not `goimports`-ed (goimports)
        Root: d.Root,
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-11 18:56:25 +01:00
Arko Dasgupta
f800d5f786 Set the bip network value as the subnet
Dont assign the --bip value directly to the subnet
for the default bridge. Instead use the network value
from the ParseCIDR output

Addresses: https://github.com/moby/moby/issues/40392

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-02-10 17:38:54 -08:00
Sebastiaan van Stijn
9f0b3f5609
bump gotest.tools v3.0.1 for compatibility with Go 1.14
full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-11 00:06:42 +01:00
Brian Goff
cc993a9cbf Exec inspect field should be "ID" not "ExecID"
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-02-10 14:08:54 -08:00
Sebastiaan van Stijn
e55bff541e
TestLoginFailsWithBadCredentials: prepare for Go 1.14 changes
Go 1.14 adds quotes around the url in the error returned:

    === FAIL: arm64.integration.system TestLoginFailsWithBadCredentials (0.27s)
        TestLoginFailsWithBadCredentials: login_test.go:27: assertion failed: expected error "Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password", got "Error response from daemon: Get \"https://registry-1.docker.io/v2/\": unauthorized: incorrect username or password"
            Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-10 19:05:12 +01:00
Brian Goff
f464c31668 Check tmpfs mounts before create anon volume
This makes sure that things like `--tmpfs` mounts over an anonymous
volume don't create volumes uneccessarily.
One method only checks mountpoints, the other checks both mountpoints
and tmpfs... the usage of these should likely be consolidated.

Ideally, processing for `--tmpfs` mounts would get merged in with the
rest of the mount parsing. I opted not to do that for this change so the
fix is minimal and can potentially be backported with fewer changes of
breaking things.
Merging the mount processing for tmpfs can be handled in a followup.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-02-04 10:12:05 -08:00
Sebastiaan van Stijn
ca20bc4214
Merge pull request #40007 from arkodg/add-host-docker-internal
Support host.docker.internal in dockerd on Linux
2020-01-27 13:42:26 +01:00
Arko Dasgupta
92e809a680 Support host.docker.internal in dockerd on Linux
Docker Desktop (on MAC and Windows hosts) allows containers
running inside a Linux VM to connect to the host using
the host.docker.internal DNS name, which is implemented by
VPNkit (DNS proxy on the host)

This PR allows containers to connect to Linux hosts
by appending a special string "host-gateway" to --add-host
e.g. "--add-host=host.docker.internal:host-gateway" which adds
host.docker.internal DNS entry in /etc/hosts and maps it to host-gateway-ip

This PR also add a daemon flag call host-gateway-ip which defaults to
the default bridge IP
Docker Desktop will need to set this field to the Host Proxy IP
so DNS requests for host.docker.internal can be routed to VPNkit

Addresses: https://github.com/docker/for-linux/issues/264

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-01-22 13:30:00 -08:00
Drew Erny
30d9fe30b1 Add swarm jobs
Adds support for ReplicatedJob and GlobalJob service modes. These modes
allow running service which execute tasks that exit upon success,
instead of daemon-type tasks.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2020-01-13 13:21:12 -06:00
Sebastiaan van Stijn
d64156970f
Merge pull request #40309 from dperny/bump-swarmkit
Bump swarmkit to 24fb4cfe8af56803640180c5592bf32da732ced2
2020-01-09 20:16:33 +01:00
Drew Erny
07efe6a0a7 Bump swarmkit to 24fb4cfe8af56803640180c5592bf32da732ced2
Bumps the vendoring of github.com/docker/swarmkit to the above commit,
which is the current master at commit time.

Most notably, this includes a change making the ingress network respect
the default address pool. Because of this change, a change to network
integration tests was needed.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2020-01-07 09:43:22 -06:00
Akihiro Suda
19baeaca26 cgroup2: enable cgroup namespace by default
For cgroup v1, we were unable to change the default because of
compatibility issue.

For cgroup v2, we should change the default right now because switching
to cgroup v2 is already breaking change.

See also containers/libpod#4363 containers/libpod#4374

Privileged containers also use cgroupns=private by default.
https://github.com/containers/libpod/pull/4374#issuecomment-549776387

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-01 02:58:40 +09:00
Brian Goff
5f83f15ecb
Merge pull request #40193 from vikramhh/volumes_plugins_test_failure
Volume plugin tests [integration/plugin/volumes] should always be executed - checks for OS Type should happen within the test
2019-12-19 11:29:46 -08:00
Brian Goff
f9c8717d87
Merge pull request #40268 from olljanat/garbage-collector-remove-layerdb-values
Make sure that layers are removed from layerdb after succefull layer …
2019-12-18 09:49:22 -08:00
Akihiro Suda
0a4d980d71
Merge pull request #40142 from jmartin84/unique-names-intergration-service-inspect-test
refactored integration/service/instead_test.go to ues unique resource…
2019-12-13 18:25:08 +09:00
Brian Goff
b95fad8e51
Merge pull request #40263 from thaJeztah/normalize_comments
Normalize comment formatting
2019-12-12 12:06:22 -08:00
Jintao Zhang
56c5668068 Testcase: Change time comparison logic.
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
2019-12-10 20:10:28 +08:00
Olli Janatuinen
446fe7f263 Make sure that layers are removed from layerdb after succefull layer removal
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2019-11-28 20:06:09 +02:00
Sebastiaan van Stijn
92ad849327
integration: normalize comment formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-27 15:37:59 +01:00
vikrambirsingh
83783af08e Disable tests missed by PR 40155
The tests starts a new daemon, but attempts to run it with overlay2,
and using a unix:// socket, which doesn't really work on Windows.

40155 tried to disable such tests but missed two of them.
They are being disabled with this change.

Signed-off-by: vikrambirsingh <vikrambir.singh@docker.com>
2019-11-11 18:54:21 +00:00
Justen Martin
36f6cc11a4
refactored integration/service/instead_test.go to ues unique resource names
Signed-off-by: Justen Martin <jmart@the-coder.com>
2019-11-08 16:39:20 -06:00
vikrambirsingh
25c5a55261 Check for OS Type and skip within the test
Premature check for OS type means that the test
will never even get to run on other OS types. This
will cause it to be always flagged as a failure on
such OS types.

Signed-off-by: vikrambirsingh <vikrambir.singh@docker.com>
2019-11-07 22:42:20 +00:00
Kirill Kolyshkin
154cf042fd
Merge pull request #40144 from lzhfromustc/GL_outputDone
integration/internal/container: fix a goroutine leak bug
2019-11-07 12:02:47 -08:00
Sebastiaan van Stijn
a0a5ec4c6d
Integration: skip TestInfoDebug on Windows
The test starts a new daemon, but attempts to run it with overlay2,
and using a unix:// socket, which doesn't really work on Windows.

```
00:14:14.623  --- FAIL: TestInfoDebug (0.01s)
00:14:14.623      info_test.go:75: [dbe75bf7729f3] failed to start daemon with arguments [--containerd /var/run/docker/containerd/containerd.sock --data-root D:\gopath\src\github.com\docker\docker\bundles\tmp\TestInfoDebug\dbe75bf7729f3\root --exec-root C:\windows\TEMP\dxr\dbe75bf7729f3 --pidfile D:\gopath\src\github.com\docker\docker\bundles\tmp\TestInfoDebug\dbe75bf7729f3\docker.pid --userland-proxy=true --containerd-namespace dbe75bf7729f3 --containerd-plugins-namespace dbe75bf7729f3p --host unix://C:\windows\TEMP\docker-integration\dbe75bf7729f3.sock --storage-driver overlay2 --debug] : protocol not available
00:14:14.623  === RUN   TestInfoInsecureRegistries
00:14:14.623  --- FAIL: TestInfoInsecureRegistries (0.00s)
00:14:14.623      info_test.go💯 [d3c745c16a39c] failed to start daemon with arguments [--containerd /var/run/docker/containerd/containerd.sock --data-root D:\gopath\src\github.com\docker\docker\bundles\tmp\TestInfoInsecureRegistries\d3c745c16a39c\root --exec-root C:\windows\TEMP\dxr\d3c745c16a39c --pidfile D:\gopath\src\github.com\docker\docker\bundles\tmp\TestInfoInsecureRegistries\d3c745c16a39c\docker.pid --userland-proxy=true --containerd-namespace d3c745c16a39c --containerd-plugins-namespace d3c745c16a39cp --host unix://C:\windows\TEMP\docker-integration\d3c745c16a39c.sock --debug --storage-driver overlay2 --insecure-registry=192.168.1.0/24 --insecure-registry=insecurehost.com:5000] : protocol not available
00:14:14.623  === RUN   TestInfoRegistryMirrors
00:14:14.623  --- FAIL: TestInfoRegistryMirrors (0.01s)
00:14:14.623      info_test.go:124: [d277126ad0515] failed to start daemon with arguments [--containerd /var/run/docker/containerd/containerd.sock --data-root D:\gopath\src\github.com\docker\docker\bundles\tmp\TestInfoRegistryMirrors\d277126ad0515\root --exec-root C:\windows\TEMP\dxr\d277126ad0515 --pidfile D:\gopath\src\github.com\docker\docker\bundles\tmp\TestInfoRegistryMirrors\d277126ad0515\docker.pid --userland-proxy=true --containerd-namespace d277126ad0515 --containerd-plugins-namespace d277126ad0515p --host unix://C:\windows\TEMP\docker-integration\d277126ad0515.sock --debug --storage-driver overlay2 --registry-mirror=https://192.168.1.2 --registry-mirror=http://registry.mirror.com:5000] : protocol not available
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-30 17:42:52 +01:00
Ziheng Liu
6233217a31 integration/internal/container: fix a goroutine leak bug by adding 1 buffer
Signed-off-by: Ziheng Liu <lzhfromustc@gmail.com>
2019-10-27 20:22:52 -04:00
Sebastiaan van Stijn
ec4a34ae2f
integration-cli: migrate some "info" tests to integration
- Updated TestInfoSecurityOptions to not rely on CLI output. Note that this
  test should be migrated to the integration suite, but that suite does not yet
  have checks for "Seccomp" and "AppArmor"
- TestInfoAPIWarnings: don't start with busybox because we're not running containers in this test
- Migrate TestInfoDebug to integration suite
- Migrate TestInsecureRegistries to integration suite (renamed to TestInfoInsecureRegistries)
- Migrate TestRegistryMirrors to integration suite (renamed to TestInfoRegistryMirrors)
- Migrate TestInfoDiscoveryBackend to integration suite
- Migrate TestInfoDiscoveryInvalidAdvertise to integration suite
- Migrate TestInfoDiscoveryAdvertiseInterfaceName to integration suite
- Remove TestInfoFormat, which is testing the CLI functionality, and there is an
  existing test in docker/cli (TestFormatInfo) covering this

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-22 00:11:52 +02:00
Justin Cormack
f681590a25
Merge pull request #40081 from thaJeztah/http_constants
Use http constants for HTTP methods and status codes
2019-10-17 11:30:26 -07:00
Drew Erny
f36042d259 Add support for sending down service Running and Desired task counts
Adds a new ServiceStatus field to the Service object, which includes the
running and desired task counts. This new field is gated behind a
"status" query parameter.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-10-14 10:43:00 -05:00
Sebastiaan van Stijn
9ed58987ce
integration: use constants for http methods
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-13 17:30:13 +02:00
Tibor Vass
6ca3ec88ae builder: remove legacy build's session handling
This feature was used by docker build --stream and it was kept experimental.

Users of this endpoint should enable BuildKit anyway by setting Version to BuilderBuildKit.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-10-02 20:29:15 +00:00
Sebastiaan van Stijn
f60d6ee4bc
testutil: update WithInitsignature to be a daemon.Option
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-30 17:38:26 +02:00
Sebastiaan van Stijn
554d9cec25
testutil: update WithExperimental signature to be a daemon.Option
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-30 17:38:24 +02:00
Sam Whited
ae0a878b86 testutil, integration: untangle image dependency
Signed-off-by: Sam Whited <sam@samwhited.com>
2019-09-24 14:50:59 -05:00